search

lucidsoftware / cumulus

Cloudformation alternative
http://lucidsoftware.github.io/cumulus/
Apache License 2.0
28 stars 6 forks source link

Error when migrating security group #151

Open gcla opened 7 years ago

gcla commented 7 years ago

I am using the latest code, 9620561ce7334155f485bb68f8964b7580376b53

I see the following error when trying to migrate a security group AWS created for me:

gcla@elgin:~/cumulus$ ~/source/cumulus/bin/cumulus security-groups migrate launch-wizard-24                                                                                                                        
Processing awseb-e-5u3k2mveua-stack-AWSEBSecurityGroup-1WQZPAS3QBOCB...
/home/gcla/source/cumulus/lib/security/models/RuleConfig.rb:22:in `block in from_aws': undefined method `group_name' for nil:NilClass (NoMethodError)
        from /home/gcla/source/cumulus/lib/security/models/RuleConfig.rb:22:in `map'
        from /home/gcla/source/cumulus/lib/security/models/RuleConfig.rb:22:in `from_aws'
        from /home/gcla/source/cumulus/lib/security/models/SecurityGroupConfig.rb:93:in `block in populate!'
        from /home/gcla/source/cumulus/lib/security/models/SecurityGroupConfig.rb:93:in `map'
        from /home/gcla/source/cumulus/lib/security/models/SecurityGroupConfig.rb:93:in `populate!'
        from /home/gcla/source/cumulus/lib/security/manager/Manager.rb:46:in `block in migrate'
        from /home/gcla/source/cumulus/lib/security/manager/Manager.rb:43:in `each_value'
        from /home/gcla/source/cumulus/lib/security/manager/Manager.rb:43:in `migrate'
        from /home/gcla/source/cumulus/lib/common/Commands.rb:87:in `call'
        from /home/gcla/source/cumulus/lib/common/Commands.rb:87:in `execute'
        from /home/gcla/source/cumulus/lib/common/Commands.rb:127:in `parse'
        from /home/gcla/source/cumulus/bin/cumulus:124:in `<main>'
gcla commented 7 years ago

I used the PP gem to look at what AWS is sending back - this is one of the security groups

#<struct Aws::EC2::Types::SecurityGroup
 owner_id="418454969983",
 group_name="awseb-e-5u3k2mveua-stack-AWSEBSecurityGroup-1WQZPAS3QBOCB",
 group_id="sg-84db3c92",
 description="SecurityGroup for ElasticBeanstalk environment.",
 ip_permissions=
  [#<struct Aws::EC2::Types::IpPermission
    ip_protocol="tcp",
    from_port=80,
    to_port=80,
    user_id_group_pairs=
     [#<struct Aws::EC2::Types::UserIdGroupPair
       user_id="amazon-elb",
       group_name="amazon-elb-sg",
       group_id="sg-843f59ed",
       vpc_id=nil,
       vpc_peering_connection_id=nil,
       peering_status=nil>],
    ip_ranges=[],
    prefix_list_ids=[]>],
 ip_permissions_egress=[],
 vpc_id=nil,
 tags=
  [#<struct Aws::EC2::Types::Tag
    key="aws:cloudformation:stack-name",
    value="awseb-e-5u3k2mveua-stack">,
   #<struct Aws::EC2::Types::Tag
    key="aws:cloudformation:stack-id",
    value=
     "arn:aws:cloudformation:us-east-1:418454969983:stack/awseb-e-5u3k2mveua-stack/09a71a70-22b5-11e6-bbc3-50fae98a10d2">,
   #<struct Aws::EC2::Types::Tag
    key="elasticbeanstalk:environment-name",
    value="Default-Environment">,
   #<struct Aws::EC2::Types::Tag
    key="aws:cloudformation:logical-id",
    value="AWSEBSecurityGroup">,
   #<struct Aws::EC2::Types::Tag
    key="elasticbeanstalk:environment-id",
    value="e-5u3k2mveua">,
   #<struct Aws::EC2::Types::Tag key="Name", value="Default-Environment">]>

I can't find a group name sg-843f59ed using the web console. I see it's under a different user id, amazon-elb, but I'm not yet experienced enough in AWS to know if this is some kind of orphaned object, or if I need to look for it elsewhere.

I'll send a pull request with a diff that let me proceed past the error, though I am not an expert in any of this, so I am not advocating for this change :-) Just sending it as further guidance toward what might be a legitimate fix.

gcla commented 7 years ago

Hmm - my pull request claim was premature. Still investigating...

msiebert commented 7 years ago

It appears that you're using EC2 Classic, which allows you to reference security groups that are outside of your account. This is an issue because Cumulus uses the describe-security-groups operation, which only returns the security groups in your account. Was the security group created through cloudformation or beanstalk, or manually? As far as things that you could do to fix this, there are two options:

1) ignore rules that reference security groups that have a user_id attribute that is not your account id 2) change the resource that has the amazon-elb-sg security to use a security group that you've created within your own account.

Let me know if you have any questions about this!

gcla commented 7 years ago

Hi - thanks for the reply. This is a shared corporate account, so I'm not sure how the security group was created - I suspect someone playing with Elastic Beanstalk. We're not using that in production.

So I understand - for 1), that would be a small, possibly private code change on my part, right?

msiebert commented 7 years ago

Yeah, so on line 22 of RuleConfig, you'd just return nil in the mapping function if user_id isn't your account id, and then .reject out the nils in the result. You'll want to test it and make sure it still diffs correctly. I won't be able to test the actual result because we're not using EC2 Classic so I can't reproduce the scenario.